{"id":16202,"library":"safe-buffer","title":"Safer Node.js Buffer API Polyfill","description":"safe-buffer is a JavaScript library that provides a consistent and safer API for Node.js `Buffer` operations, particularly for older Node.js environments. It backports the modern `Buffer.from`, `Buffer.alloc`, and `Buffer.allocUnsafe` methods, which address security and stability concerns related to uninitialized memory in older `new Buffer(size)` constructors. For Node.js versions where these safer methods are natively available (v6.0.0 and above), `safe-buffer` transparently defers to the built-in implementation, acting as a compatibility layer. The current stable version is 5.2.1, with releases being infrequent given its role as a polyfill for established Node.js core APIs, with the last major update occurring approximately 6 years ago. Its primary differentiator is ensuring safe `Buffer` allocation across a wide range of Node.js versions without requiring conditional logic in application code.","status":"maintenance","version":"5.2.1","language":"javascript","source_language":"en","source_url":"git://github.com/feross/safe-buffer","tags":["javascript","buffer","buffer allocate","node security","safe","safe-buffer","security","uninitialized","typescript"],"install":[{"cmd":"npm install safe-buffer","lang":"bash","label":"npm"},{"cmd":"yarn add safe-buffer","lang":"bash","label":"yarn"},{"cmd":"pnpm add safe-buffer","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Imports the named Buffer class for ESM environments.","symbol":"Buffer","correct":"import { Buffer } from 'safe-buffer';"},{"note":"CommonJS pattern to access the Buffer class exported as a property. While destructuring `const { Buffer } = require('safe-buffer');` technically works, the explicit property access `require('safe-buffer').Buffer` is shown in the README and often preferred for clarity.","wrong":"const { Buffer } = require('safe-buffer');","symbol":"Buffer","correct":"const Buffer = require('safe-buffer').Buffer;"},{"note":"The module does not provide a default export that represents the Buffer class directly; Buffer is a named export.","wrong":"import SafeBuffer from 'safe-buffer';","symbol":"Buffer","correct":"import { Buffer } from 'safe-buffer';"}],"quickstart":{"code":"const Buffer = require('safe-buffer').Buffer;\n\nconsole.log(\"Using safe-buffer for Buffer operations:\\n\");\n\n// The old, potentially unsafe way: new Buffer(size) or Buffer(size)\n// While safe-buffer provides compatibility, this can create uninitialized buffers\n// in older Node.js versions and is deprecated.\nconsole.log('Old (deprecated) uninitialized buffer via new Buffer(10):');\ntry {\n  const oldBuffer = new Buffer(10);\n  console.log(oldBuffer); // Might show garbage data in older Node.js\n} catch (e) {\n  console.log('  Caught error for new Buffer(10):', e.message);\n}\n\n// Modern, safe way: zero-filled buffer (recommended for new allocations)\nconsole.log('\\nSafe zero-filled buffer via Buffer.alloc(10):');\nconst safeBuffer = Buffer.alloc(10);\nconsole.log(safeBuffer);\n\n// Modern way: uninitialized buffer (faster, use if you immediately overwrite contents)\n// Be cautious: this memory may contain sensitive data if not fully overwritten.\nconsole.log('\\nPotentially unsafe uninitialized buffer via Buffer.allocUnsafe(10):');\nconst unsafeAllocBuffer = Buffer.allocUnsafe(10);\nconsole.log(unsafeAllocBuffer); // Contents are unpredictable\n\n// Creating a buffer from a string\nconsole.log('\\nBuffer from string via Buffer.from(\"Hello, safe-buffer!\"):');\nconst stringBuffer = Buffer.from('Hello, safe-buffer!', 'utf8');\nconsole.log(stringBuffer.toString('utf8'));\n\n// Creating a buffer from an array of octets\nconsole.log('\\nBuffer from array via Buffer.from([0x68, 0x65, 0x6C, 0x6C, 0x6F]):');\nconst arrayBuffer = Buffer.from([0x68, 0x65, 0x6C, 0x6C, 0x6F]);\nconsole.log(arrayBuffer.toString('utf8'));\n\n// Copying an existing buffer\nconsole.log('\\nCopying an existing buffer:');\nconst originalBuf = Buffer.from('original');\nconst copiedBuf = Buffer.from(originalBuf); // Creates a new buffer with copied data\noriginalBuf[0] = 0x58; // Modify the original buffer\nconsole.log('  Original after change:', originalBuf.toString());\nconsole.log('  Copied buffer (should remain \"original\"):', copiedBuf.toString());","lang":"javascript","description":"Demonstrates `safe-buffer`'s core functionality, including safe and unsafe buffer allocation methods (`Buffer.alloc`, `Buffer.allocUnsafe`), and creating buffers from strings or arrays using `Buffer.from`, contrasting them with the deprecated `new Buffer()`."},"warnings":[{"fix":"Always use `Buffer.alloc(size)` for new buffer allocations unless `Buffer.allocUnsafe(size)` is explicitly required for performance and you are certain the buffer's contents will be fully overwritten immediately.","message":"The `new Buffer(size)` constructor (and `Buffer(size)` as a function call) created uninitialized memory in Node.js versions prior to 8.0.0. This could lead to disclosure of sensitive data if the buffer was not entirely overwritten before being exposed. `safe-buffer` provides `Buffer.alloc()` for safe, zero-filled buffers and `Buffer.allocUnsafe()` for performance-critical scenarios where uninitialized memory is acceptable, emphasizing the need for developers to explicitly choose safe allocation.","severity":"breaking","affected_versions":"<8.0.0"},{"fix":"Migrate all uses of `new Buffer()` or `Buffer()` (as a function) to `Buffer.alloc()`, `Buffer.allocUnsafe()`, or `Buffer.from()` based on the desired allocation and initialization behavior.","message":"The `new Buffer()` constructor is officially deprecated in Node.js since v10.0.0 and has been completely removed in v12.0.0. While `safe-buffer` allows its use for backward compatibility, relying on it will lead to runtime deprecation warnings in Node.js v10/v11 and errors in v12+.","severity":"deprecated","affected_versions":">=10.0.0"},{"fix":"For new projects targeting Node.js 6.0.0+, avoid `safe-buffer` and use the native `Buffer` APIs directly. For existing projects, consider removing `safe-buffer` if dropping support for Node.js versions below 6.0.0.","message":"Using `safe-buffer` in Node.js versions 6.0.0 and above is largely redundant, as these versions natively include `Buffer.from()`, `Buffer.alloc()`, and `Buffer.allocUnsafe()` methods. While `safe-buffer` gracefully defers to the native implementation when available, it adds an unnecessary dependency and a layer of indirection to your project.","severity":"gotcha","affected_versions":">=6.0.0"},{"fix":"Strictly avoid `new Buffer(size)` and `Buffer(size)` in all code, even when using `safe-buffer`. Always explicitly use `Buffer.alloc(size)` for safe zero-filled buffers or `Buffer.allocUnsafe(size)` when raw uninitialized memory is intentionally handled.","message":"A critical 'footgun' exists where `safe-buffer` still permits `Buffer(size)` (calling `Buffer` as a function without `new`) which, in Node.js versions prior to 8.0.0, allocates uninitialized memory. Moreover, it can silence linting tools that would otherwise warn about the deprecated `Buffer()` call, giving a false sense of security.","severity":"gotcha","affected_versions":"<8.0.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Replace all instances of `new Buffer(...)` with `Buffer.alloc(...)` for zero-filled buffers, `Buffer.allocUnsafe(...)` for uninitialized buffers, or `Buffer.from(...)` for creating buffers from existing data.","cause":"Using the `new Buffer()` constructor directly or indirectly via `safe-buffer` in Node.js v10.0.0 or higher.","error":"DeprecationWarning: new Buffer() is deprecated"},{"fix":"If creating a new buffer, use `new Buffer(...)` (deprecated in modern Node.js) or preferably `Buffer.alloc(...)`, `Buffer.allocUnsafe(...)`, or `Buffer.from(...)`.","cause":"Attempting to call `Buffer()` as a function (e.g., `Buffer(10)`) in Node.js versions where `Buffer` is strictly a class constructor.","error":"TypeError: Class constructor Buffer cannot be invoked without 'new'"},{"fix":"For all new allocations, use `Buffer.alloc(size)` which guarantees zero-filled memory. If `Buffer.allocUnsafe(size)` is used for performance, ensure the entire allocated memory segment is explicitly written to before any part of the buffer is exposed or returned.","cause":"Using `Buffer.allocUnsafe(size)` without immediately and fully overwriting its contents, or relying on `new Buffer(size)` / `Buffer(size)` in Node.js < v8.0.0.","error":"Potential sensitive data disclosure due to uninitialized buffer memory."}],"ecosystem":"npm"}